An Empirical Analysis of Incorrect Account Remediation in the Case of Broken Authentication

被引:2
作者
Lee, Jeongho [1 ]
Choi, Hyoung-Kee [2 ]
Yoon, Jin Hee [3 ]
Kim, Seongjune [3 ]
机构
[1] Sungkyunkwan Univ, Dept Elect & Comp Engn, Suwon 16419, South Korea
[2] Sungkyunkwan Univ, Coll Software, Suwon 16419, South Korea
[3] Sungkyunkwan Univ, Dept Comp Sci & Engn, Suwon 16419, South Korea
关键词
Cyber security; internet security; trust management; broken authentication; account remediation; security measurement;
D O I
10.1109/ACCESS.2023.3343411
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
One of the most critical vulnerabilities in authentication, commonly referred to as "broken authentication," poses a harmful threat, leading to the compromise of user credentials and the unauthorized hijacking of sessions. Addressing these security breaches is imperative, necessitating effective remediation mechanisms. Our primary objective is to assess and enhance the security posture of remediation mechanisms by addressing the vulnerabilities associated with broken authentication. Our investigation reveals deficiencies in the implementation of the three prevailing remediation mechanisms across popular Service Providers (SPs), rendering manual remediation attempts futile. We demonstrate our claim by measuring post-compromise security preparedness across over 350 popular websites and applications. During the measurement, SPs were divided into three groups to compare the correctness of the remediation mechanisms across groups. Based on the measurement and evaluation results, we analyzed the root cause of such incorrectness and discussed possible mitigations and practical recommendations to solve the remedial problems. The scope of this study ranges from compromise to the immediate consequences of countermeasures. Hence, discussions of the causes of broken authentication and descriptions of attacks for breaking authentication are beyond the scope of this study. Detailed case studies of four popular SPs are included to discuss their unique reactive prevention behaviors. Observations and their meaningful results challenge us to render remediation mechanisms opaque and difficult to audit, which contributes to underestimating the security threats of ineffective revocations.
引用
收藏
页码:141610 / 141627
页数:18
相关论文
共 73 条
[51]  
Peeters C., 2022, PROC ACM ASIA C COMP, P2, DOI [10.1145/3488932.3497756, DOI 10.1145/3488932.3497756]
[52]   What Happens After You Leak Your Password: Understanding Credential Sharing on Phishing Sites [J].
Peng, Peng ;
Xu, Chao ;
Quinn, Luke ;
Hu, Hang ;
Viswanath, Bimal ;
Wang, Gang .
PROCEEDINGS OF THE 2019 ACM ASIA CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY (ASIACCS '19), 2019, :181-192
[53]  
Redmiles EM, 2020, PROCEEDINGS OF THE 29TH USENIX SECURITY SYMPOSIUM, P89
[54]   "Should I Worry?" A Cross-Cultural Examination of Account Security Incident Response [J].
Redmiles, Elissa M. .
2019 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2019), 2019, :920-934
[55]   I Think They're Trying to Tell Me Something: Advice Sources and Selection for Digital Security [J].
Redmiles, Elissa M. ;
Malone, Amelia R. ;
Mazurek, Michelle L. .
2016 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP), 2016, :272-288
[56]   Don't Forget the Stuffing! Revisiting the Security Impact of Typo-Tolerant Password Authentication [J].
Sahin, Sena ;
Li, Frank .
CCS '21: PROCEEDINGS OF THE 2021 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2021, :252-270
[57]   Social Engineering Attacks: A Survey [J].
Salahdine, Fatima ;
Kaabouch, Naima .
FUTURE INTERNET, 2019, 11 (04)
[58]  
SecurityWeek, 2020, Slack Vulnerability Allowed Hackers to Hijack Accounts
[59]   Compromised user credentials detection in a digital enterprise using behavioral analytics [J].
Shah, Saleh ;
Shah, Babar ;
Amin, Adnan ;
Al-Obeidat, Feras ;
Chow, Francis ;
Lopes Moreira, Fernando Joaquim ;
Anwar, Sajid .
FUTURE GENERATION COMPUTER SYSTEMS-THE INTERNATIONAL JOURNAL OF ESCIENCE, 2019, 93 :407-417
[60]  
Shu XK, 2017, Arxiv, DOI arXiv:1701.04940